codex-review
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill frequently uses the command
codex exec --dangerously-bypass-approvals-and-sandbox. This flag explicitly instructs the underlying tool to bypass security boundaries and execute LLM-generated code without user confirmation. - REMOTE_CODE_EXECUTION (HIGH): The skill creates a direct path for Remote Code Execution by piping untrusted external data (from
git difforgh pr view) into an execution engine that has been stripped of its sandbox. An attacker could submit a Pull Request containing malicious instructions hidden in code comments or metadata, which would be executed by the agent during the automated review/fix cycle. - INDIRECT PROMPT INJECTION (LOW): The skill lacks any boundary markers or sanitization when processing external code. It is designed to ingest and act upon the contents of repositories and PRs, making it a primary target for indirect injection attacks.
- UNVERIFIABLE DEPENDENCIES (MEDIUM): The skill relies on
codex-cli, which is not a verified or trusted tool. Running an unverified binary with sandbox-bypass flags represents a significant supply-chain and runtime risk.
Recommendations
- AI detected serious security threats
Audit Metadata